Writen Mid Term Flashcards
- Describe the difference roles of the red, blue, orange, purple teams in a cyber exercise
Red Team: (External team) Attackers
Blue Team: (Internal Team) Protect company resources
Orange Team: End Users
Purple Team: Provides in dept analysis of red-blue team interaction
Works with TTP(tactics, traits, procdeures)
- Give two examples of a vulnerability, threat, risk and asset
Vulnerabilites: upatched system, open ports
Threat: E-mail phishing, zero-day attack
Risk: the probaility of threat exploiting a vulnerability
Asset: proprietary software, company data
- What is the CVE database and the NVD database
CVE – list of entries containing ID#,description,public referance
NVD – US GOV, checklists,flaws,ms configs, national vulnerabilites, database
- Describe the stages of the author’s pentesting process and apply to a scenario
Inteleigence Gathering - looking @ company websites/emails/phone#
Initial foothold - gain access to the network
Local/network enumeration - build a list of devices on the network
Local priviledge escalation – use tool like meterpreter to look for vulnerable + exploitable service paths
Persistence – create reverse listeners/ back up admin account
Internal movement – infecting other devices on the network
Domain Privilege escalation – get the AD hashes
Dumping hashes – john the ripper
Data identification/exfiltration
Reporting
- Describe how you would build your pentesting testing box
Isolated PC running a replica network - OS to attack o Win10 o Server - Tools o Kali o Wireshark o Nesus o Burp o Reconing o Sqlmap o Mimikatz o Etc
- Describe activities you can perform in a passive pentesting scan
Activites that don’t touch the target
Profile Organization -> whois
Profile network -> recon-ng
- What website can be used to view old webpages
Wayback Machine -> archive.org
- Describe activities you can perform in an active pentesting scan
Social Engineering
Banner Grabs
Namp scans
Nessus scans
- Describe common ICMP error codes. (ICMP type 0,3,8)
ICMP type 0 = network unreachable
ICMP type 3 = part unreacable
ICMP type 8 = source host isolated
- If reference to the above question, what can a hacker use ICMP error codes for?
One can map the network
- What information can you gather from DNS recon?
SOA
MX
NS,(name,srv)
Host Record (A, AAAA)
- What is a banner grab?
Scan to an port to gain high level info of ther service offered on the port
- Know the different types of scans NMAP can do and how it does the scan (null, syn, xmas, tcp, version)(indicate TCP flags used)
- Null o Sn o TCP packets with sequence of O and no flag set - SYN o Ss o Sends SYN packets to all ports untill a SYS/ACK is revice from an open port - XMAS o Sx o Fin, VRG o Post flags - TCP o ST o Wait for session to complete three way handshake - Version o Sv o Looks for version through open port
- Know what is returned, when a scan hits an open or closed port or a firewall
Open: SYS/ACK firewall
No firewall closed : RST
- What type of scan will always find a live host?
ARP scan
- Know how to create a python banner grabber
Import sockets S = socket.socket( ) s.connect((IP address) hostname, port)) print s. (V(1024) s.close
- Know the difference and usage of a credentialed and non-credentialed scan
Credentialed – authenticater scan of host allows sources to see problems that (username/password) cant b seen w/o authentication
Non-credential – quick view of vulnerabiliy by looking at services exposed by host
- Describe four methods for making the initial foothold into an organization
Email spear phising -> user clicks on a link or DNS redirection ( user visits malicious website) web server ( Deafault password) Breach Input flaws Input login
- Describe the web environment and common attacks against the servers. (dns, dos, buffer overflow)
DNS – inputs malicious pointer records to point users to you malicious website
DOS – overlaoding post with STU packets
Buffer overflow – overload memory buffer to the point it will run embedded scripts
- Describe input/form tampering
Attacker modifies : hidden fields, pre-selected parameters, attribute parameters
- Describe attacks against the web client environment
SQL Injections – inputting sql statements to achieve access + access to database
- What can the blurp proxy do?
Act as man-in-the-middle
Captures traffic with the ability to manipulate the traffic
- What does burp proxy have to do with HTTPS websites?
pic
- What does OWASP web application scanner do?
Scan website + website file structure to test for vulnerabliutles such as XSS
- Describe the functionality of metasploit
Metasploit is an automated, open source, exploitation framework. It contains tools for scanning, exploit development, exploitation, and post-exploitation
- Describe the functionality of meterpreter
Meterpreter is consistent crass-platform, post-exploitation, UNIX command-line interface. It cann act as an in-memory stager for loading exploit code such as persistant backdoors, remote packet sniffing, key loggings, system information dumps among others.
- What is a reverse shell
A reverse shell is a shell run from the target system that communicates back to the attacker
- What is beaconing?
Beaconing is when an infected computer reaches out to thte attack to signify installation and to wait further instructions.
- Describe the heartbleed vulnerability
Heartbleed was on OpenSSL vulnerability that reavled a large part of a systems RAM when a large amount of info was asked from it.
- Describe the shellshock vulnerability
Shellshock was a Bash vulnerability which forced systems to accept code with authentication and the beacon back to the attacker.
- Describe the functionality of MSVenom
MSVenom is a beacon-creating application avaiable inside metasploit designed to avoid antivirus software.
- What is a clear indication that is website is susceptible to an SQL attack?
The input fields accpet special characters.
- Describe how an XSS attack takes place
An XSS attack oiccurs when malicious scripts are injected into trusted websites.
- What makes a website vulnerable to a XSS attack?
lack of input validation of a web application which allows an attacker to write script code into a users browser
- Describe an SQi attack
SQL attack is used to attack data-driven application with SQL statements which run a backend SQL database.
- Describe the functionality of Beef
Works in tandem with a XSS attack using Burp or another open-source/ commercial software for proxies . It allows the attacker to also gather information once the victim is in their controll by creating a payload which redirects the victim to a beef malicious website.
- What is the usage of error message for the pentester
Could be used as in information for the pretester to try out the SQL statement or to gain additional information on ther target system.
- What authentication method does a windows computer use when accessing a computer by name or FQDN when it is part of a domain?
SMB protocol
- What authentication method does a windows computer use when accessing a computer by IP address. (what does the computer send first for authentication)
NTLM or SMB
- Describe the NTLM process
-User sends conncetion request to server
-Server genrates 16 bit random one time number to be encrypted by user call challenge/none
-User encrypts the challenge/none code with the hash of the users password
-Server validate encrypted challenge
-Sends DC username challenge sent to client response vertified from client
-DC user the username to retrive the users hashed password from the SAM database
-DC compares the encrypted challenge to the respone by the client
If its identical, authentication is successful
- Describe the entire process you computer goes through in order to send a packet on the network when you enter www.google.com into a browser?
DNS tries to resolve the FWDN
- Looks locally through its DNS records/host files
- If its not listed it will querry DNS servers then resolve IP to domain name
o If it doesn’t work, it tires to LLMNR + net-bios broadcast
- 3- way handshake with web server
- http/https webpage is displayed
- If reference to the question above how can the process be compromised?
- A man-in-the-middle attack or if traffic between the two computers was sniffed
- By flooding the victim with LCMR or netbios response packets
- Describe the entire process your computer goes through in order to send a packet on the network when you enter \class-server into your computer
Resolve computer name to an IP address from the IP address it gets resolve to Mac address
- Describe the functionality of the LSASS
Stores windows credentail for ease of use current and pas user credentials are stored and used for authentication
- Describe 3 methods of escalating privileges
Misconfigured privileges
Services with unquoted paths
Services which are writeable by everyone
Misconfiured group policies
- Describe the process of running PSEXEC, and Windows powershell remotely
Powershell – enables WinRM and runs as and end point collects a session from the tartget ip address of the server manges systems remotely due to remove powershell being emised
PSEXEC: used to run remote commands on a windows system, but only its oprts 135 and 445 are open, can also be run on power shell
- What is LLMNR, Netbios and ARP used for
LLMNR: protocol based on the DNS packet format that allows both IPv4 AND IPv6 to hosts to perfrom name resolution for hosts on the same local link
NetBIOS: Program that allows application on different computers to communicate with a LAN
ARP: Network laser protocol used to covert an IP address into a phsyical address
- How can the above be exploited
You can use a tool called responder which listens and responds to LLMNR and NBT-ns
Poisoning the LLMNR and NBT-ns tablet
- What surprised us about Server 2016 in reference to Powershell?
It already had remote powershell enable by default allowing remote access to the server without ther server knowing
